Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
1
Helpful
1
Replies

Known Limitations of Using Cisco ISE on AWS

Go to solution
jitendrac
Level 1
Level 1

‎08-25-2023 07:28 PM

Hi All,

It is mentioned in the documentation https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/m_ISEaaS.html ISE in AWS has some known limitations. One known rule mentioned is that "The Amazon VPC supports only Layer 3 features. Cisco ISE nodes on AWS instances do not support Cisco ISE functions that depend on Layer 1 and Layer 2 capabilities. For example, working with DHCP SPAN profiler probes and CDP protocols that use the Cisco ISE CLI is not supported."

Can someone explain the meaning of this limitation? and can I get a list of ISE functions that will not work due to this limitation of Layer 1 and Layer 2 capabilities of AWS. 

I can think of Device Profiling is one function that may be affected ? Will it affect is any posture checks functions ? OR any 802.1x Authentication methods ?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎08-27-2023 02:26 PM

What the documentation says about ISE CLI and CDP is that you won't see CDP neighbors in the ISE CLI. Fair enough - in my experience it doesn't work half of the time anyway. CDP runs on L2.

And ISE in AWS will work just fine for all RADIUS functionalities, since the RADIUS messages are UDP based (L4) and come to ISE via L3 (IP) transport. RADIUS functionality in AWS is identical with that of on-prem.

Other limitations/differences is that one can't SSH to the ISE CLI using username/password creds - you must use public/private keys. But that is also common in public cloud environments.

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎08-27-2023 02:26 PM

What the documentation says about ISE CLI and CDP is that you won't see CDP neighbors in the ISE CLI. Fair enough - in my experience it doesn't work half of the time anyway. CDP runs on L2.

And ISE in AWS will work just fine for all RADIUS functionalities, since the RADIUS messages are UDP based (L4) and come to ISE via L3 (IP) transport. RADIUS functionality in AWS is identical with that of on-prem.

Other limitations/differences is that one can't SSH to the ISE CLI using username/password creds - you must use public/private keys. But that is also common in public cloud environments.

Customers Also Viewed These Support Documents